Adjust policy-lookup behaviour (e.g. always use same policy class)

[mattzollinhofer]

Basic Issue

If I use a custom policy for authorization (ex: authorize @post, policy_class: SpecialPostPolicy) in my controller how do I use policy(@post) to get the same policy in my view? Here's an example.

Simple Use Case

Controller:

def show
  @user = authorize User.find(params[:id]), policy_class: SpecialPostPolicy
end

View:

<%# This won't use `SpecialPostPolicy`, it'll use `PostPolicy` %>
<% if policy(@post).update? %>
  <%= link_to "Edit post", edit_post_path(@post) %>
<% end %>

Additional Commentary

I believe that in a previous version of Pundit the authorize call would call the policy method that was mixed into the controller it was working in the context of. But when authorization was extracted, I think that link was broken. We'd used that "seam" to be able to override def policy in our controller which allowed both the authorize call and the view to use the same policy. It's unclear to me how to use the same custom policy now. I believe this comment is referring to a related idea.

[Burgestrand]

Hi @mattzollinhofer! I'd be interested in hearing your reaction to the following idea: #774

[sequielo]

I believe you should be able to manually instantiate the policy this way:

  <% if SpecialPostPolicy.new(pundit_user, @post).update? %>

Hope this helps for now.

[Burgestrand]

Question on this particular issue, are you looking to specifically get the same instance back, or just the same policy lookup behaviour?

For the latter, the above comment seems sufficient to me: #740 (comment)

[mattzollinhofer]

@Burgestrand: I'm a few years removed from this project at this point so my memory is failing on this front.

I believe the point was that policy and authorize both finding the same custom policy was helpful and felt natural. I do think that this is a functional work around and that's probably just fine. You're welcome to close this issue if it's helpful to get it off your stack.

As I said, I'm far enough removed that I'm struggling to recall the specific details ... but my recollection is that from a user's perspective, the idea of having the controller declare/provide a custom policy that would be used for both the controller (via authorize) and also views stemming from that controller call (via policy) would be really ergonomic.

I see you merged a PR that's starting to move in this direction, but are still thinking about some of these details. Great work! I'm really impressed at how you've been able to keep up with this!!!

I've needed to change projects into a Java/React space, but this very long 😄 conversation we've had over the years gives me a bit of inspiration that getting back to a rails project would be wonderful!!! Love the people in this community!

[Burgestrand]

Thanks @mattzollinhofer! Hehe, with a cadence of "a few parts of a day over the month" some things do take time, especially if I want to be mindful about backwards-compatibility 😁

Yeah, reading this a few times again I believe you're correct. The original suggestion seems to be that calling authorize(record, policy_class:) with a specific policy_class: could change which class policy(record) (no policy_class) implicitly finds.

It makes sense that a controller has a specific lookup behaviour. That would be nice.

I don't think passing policy_class should change the behaviour of following authorize and policy.

I think I'll keep this issue around, but probably change the title again 😄